Home / Threat Intelligence bulletins / Third-party WhatsApp "Security Overlay" found to install malware


Non-vendor supported overlays of applications that offer additional features such as additional protection mechanisms like fingerprint unlock, disappearing messages, hidden channels/chats and emojis are nothing new. These overlays require users to trust third-party developers with access to the application and the data within it. FMWhatsapp offers several of these potentially desirable features, however, has been found to install difficult to remove malware.


A trojan with access to a user’s text messages would be able to subscribe to premium services, intercept MFA codes or send malicious SMS messages from your number. Usually, messaging apps have other permissions on the phone as well which would grant them further access.

Vulnerability Detection

It is hard for users to recognise the potential threat because the application delivers the functionality that it advertises.

Containment, Mitigations & Remediations

Malware has been seen to be persistent beyond devices being factory reset because it writes itself to the system partition. It also replaces the libc.so system library to block full access to the system partition to prevent the user from removing it.

Completely reflashing the Android system on infected devices is the most foolproof method to get rid of the malware.

Indicators of Compromise



Threat Landscape

Lots of attention is being paid to mobile devices by cybercriminals, private individuals and organisations, and Nation States, because of the value that users place on the devices and the nature of material and communications that users store on them.

Mitre Methodologies

T1444 – Masquerade as Legitimate Application
T1467 – Deliver Malicious App via Other Means
T1509 – Uncommonly Used Port

Further Information

Kaspersky FMWhatsApp mod for WhatsApp downloads Trojans
Kaspersky Triada Trojan in WhatsApp mod
Bleeping Computer Malicious WhatsApp mod infects Android devices with malware